Tuesday 22 May 2012

https hijacking! How to protect yourself?

Sorry for being late, I was out of the town for few days. Lets start from where we left. As we discussed in previous post, People surfing the web even over https connections are not safe. In today’s post I’d explain how we can protect ourselves from potential https hijacking with little security consciousness.
All major browsers (IE, Firefox, Chrome, Opera) come with the major certificate authorities certificates (CAs) pre-installed. You can view these certificate authorities i.e for firefox some versions:go to
Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities.
This means your browser already trust VeriSign, DigiNotar, Thawte etc and any website having its certificate signed by these CAs is considered safe and trusted (because CA only issued certificates after verifying their identity). Thats why all well-know websites get certificates from these CAs e.g google from Thawte, twitter from VeriSign etc. We can assume that whenever there is https certificate from untrusted CA there are more chances that this could be a hijacked connection or the website it-self is a malicious website.
Now what we can do as security conscious e-user is: to simply reject no-secure untrusted https connections. This is the best and ONLY way to protect yourself in cyber world.
So how can we identify whether the site’s certificate is trusted or not ? Very simple, All major web-browsers show a security warning whenever we visit a (https enabled) website with untrusted certificate (whose issuer is not in our (browser) CA list). What we should do is, not continue surfing that particular website. Here is how firefox shows warning whenever we visit untrusted site.



checking the details shows you the reason for untrust e.g issuer not trusted other reasons could be “certificate expire”



You can check the certificate itself and its issuer by clicking add exception:



Get the certificate and check its issuer.



DON’T confirm security exception, this will cause that certificate a trusted one and your browser won’t complain any more.
Note: I deliberately delete thawte SSL CA from browser CA list in order to produce these warnings. imo.im is not malicious :)

2 comments:

  1. Sohail bahi...ic ka faida?

    ReplyDelete
    Replies
    1. you should read http://www.sohailaziz.com/2012/05/https-are-you-really-protected.html ,this will answer your question.

      Delete